diff options
| author | Noah Misch | 2023-08-07 13:05:56 +0000 |
|---|---|---|
| committer | Noah Misch | 2023-08-07 13:05:59 +0000 |
| commit | f53511010b72d7d314e22be7c63ef94792fee345 (patch) | |
| tree | 54d4406af5746be10436d1afdfe269b47f899226 /configure | |
| parent | e8386b2cef7741aa4e49870691d67f792d5f6789 (diff) | |
Reject substituting extension schemas or owners matching ["$'\].
Substituting such values in extension scripts facilitated SQL injection
when @extowner@, @extschema@, or @extschema:...@ appeared inside a
quoting construct (dollar quoting, '', or ""). No bundled extension was
vulnerable. Vulnerable uses do appear in a documentation example and in
non-bundled extensions. Hence, the attack prerequisite was an
administrator having installed files of a vulnerable, trusted,
non-bundled extension. Subject to that prerequisite, this enabled an
attacker having database-level CREATE privilege to execute arbitrary
code as the bootstrap superuser. By blocking this attack in the core
server, there's no need to modify individual extensions. Back-patch to
v11 (all supported versions).
Reported by Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph
Berg.
Security: CVE-2023-39417
Diffstat (limited to 'configure')
0 files changed, 0 insertions, 0 deletions